Jump to content

Ver. 12 HIPS "Under The Hood" Enhancements


Recommended Posts

I just noticed that the HIPS can now monitor registry key value changes. I know from testing with prior Eset versions, this was not possible although I haven't tested this in some time.

So what else is new? Are file name wildcards; i.e. "*", now finally supported in the retail versions? 

Link to comment
Share on other sites

  • Most Valued Members
11 hours ago, itman said:

I just noticed that the HIPS can now monitor registry key value changes. I know from testing with prior Eset versions, this was not possible although I haven't tested this in some time.

So what else is new? Are file name wildcards; i.e. "*", now finally supported in the retail versions? 

That exploit does create a registry key inorder to give you Admin permissions while you are not admin, and it doesn't prompt you the UAC : https://www.exploit-db.com/exploits/45660/

ESET doesn't block it or prevent it from doing any changes to the registry

Link to comment
Share on other sites

2 hours ago, Rami said:

That exploit does create a registry key inorder to give you Admin permissions while you are not admin, and it doesn't prompt you the UAC : https://www.exploit-db.com/exploits/45660/

I wasn't referring to any specific registry key bypass.

It appears Eset HIPS now has one or more default rules that specifically monitor for select reg. key value creation, modification, or deletion. In previous Eset vers., the HIPS did not have the capability to monitor reg. key values; only changes to reg. keys could be monitored. I found this out when attempting to create rules for the old Comodo Leak Test.

Link to comment
Share on other sites

  • Most Valued Members
51 minutes ago, itman said:

I wasn't referring to any specific registry key bypass.

It appears Eset HIPS now has one or more default rules that specifically monitor for select reg. key value creation, modification, or deletion. In previous Eset vers., the HIPS did not have the capability to monitor reg. key values; only changes to reg. keys could be monitored. I found this out when attempting to create rules for the old Comodo Leak Test.

I see I understand now , I thought it had the capability to detect changes to the registry by programs/scripts.

Link to comment
Share on other sites

10 hours ago, Rami said:

That exploit does create a registry key inorder to give you Admin permissions while you are not admin, and it doesn't prompt you the UAC : https://www.exploit-db.com/exploits/45660/

ESET doesn't block it or prevent it from doing any changes to the registry

FYI.

To say UAC bypassing is trivial would be an understatement. I couldn't find a list of auto elevating Windows .exe's for Win 10, so below is a list for Win 7. Almost all can be detected if used maliciously by setting UAC to the maximum level:

Quote

Executables With Auto-Elevate Privileges 
 ======================================== 
 AdapterTroubleshooter.exe 
 BitLockerWizardElev.exe 
 CompMgmtLauncher.exe 
 ComputerDefaults.exe 
 DeviceEject.exe 
 DeviceProperties.exe 
 FXSUNATD.exe 
 MdSched.exe 
 MultiDigiMon.exe 
 Netplwiz.exe 
 OptionalFeatures.exe 
 SndVol.exe 
 SystemPropertiesAdvanced.exe 
 SystemPropertiesComputerName.exe 
 SystemPropertiesDataExecutionPrevention.exe 
 SystemPropertiesHardware.exe 
 SystemPropertiesPerformance.exe 
 SystemPropertiesProtection.exe 
 SystemPropertiesRemote.exe 
 TpmInit.exe 
 bthudtask.exe 
 chkntfs.exe
 cleanmgr.exe 
 cliconfg.exe 
 dccw.exe 
 dcomcnfg.exe 
 dfrgui.exe 
 djoin.exe 
 eudcedit.exe 
 eventvwr.exe 
 fsquirt.exe 
 hdwwiz.exe 
 ieUnatt.exe 
 iscsicli.exe
 iscsicpl.exe 
 lpksetup.exe 
 msconfig.exe 
 msdt.exe 
 msra.exe 
 newdev.exe 
 ntprint.exe 
 ocsetup.exe 
 odbcad32.exe 
 perfmon.exe 
 printui.exe 
 rdpshell.exe 
 recdisc.exe 
 rstrui.exe 
 sdbinst.exe 
 sdclt.exe 
 shrpubw.exe 
 slui.exe 
 spinstall.exe 
 taskmgr.exe 
 tcmsetup.exe 
 verifier.exe 
 wisptis.exe 
 wusa.exe 

https://www.digitaldefense.com/ddi-labs/using-application-compatibility-fixes-to-bypass-user-account-control/

Link to comment
Share on other sites

  • Most Valued Members
10 hours ago, itman said:

FYI.

To say UAC bypassing is trivial would be an understatement. I couldn't find a list of auto elevating Windows .exe's for Win 10, so below is a list for Win 7. Almost all can be detected if used maliciously by setting UAC to the maximum level:

https://www.digitaldefense.com/ddi-labs/using-application-compatibility-fixes-to-bypass-user-account-control/

The exploit is about 14 days old and still Microsoft didn't patch it, weird isn't it?

Link to comment
Share on other sites

5 hours ago, Rami said:

The exploit is about 14 days old and still Microsoft didn't patch it, weird isn't it?

Microsoft has repeatedly stated that UAC is not a security boundary. As such, UAC bypasses will only be mitigated if they hit the public press outlets and "Big Brother" decides the "heat" generated warrants a fix. 

Link to comment
Share on other sites

  • Most Valued Members
1 minute ago, itman said:

Microsoft has repeatedly stated that UAC is not a security boundary. As such, UAC bypasses will only be mitigated if they hit the public press outlets and "Big Brother" decides the "heat" generated warrants a fix. 

The exploit will open you an admin CMD , with an admin CMD you can do whatever you want while in the first place you are not even the admin.

Link to comment
Share on other sites

7 minutes ago, Rami said:

The exploit will open you an admin CMD , with an admin CMD you can do whatever you want while in the first place you are not even the admin.

This technique is common among malware that use Win trusted processes that perform hidden admin elevation.

Again, most of this activity can be detected by setting UAC to maximum level. If you get an UAC alert "out of the blue" from one of these processes, you can assume its most likely malware related. I also monitor all cmd.exe execution with an Eset user HIPS rule; have done this for some time.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
2 minutes ago, itman said:

This technique is common among malware that use Win trusted processes that perform hidden admin elevation.

Again, most of this activity can be detected by setting UAC to maximum level. If you get an UAC alert "out of the blue" from one of these processes, you can assume its most likely malware related. I also monitor all cmd.exe execution with an Eset user HIPS rule; have done this for some time.

Ok I understand , thanks for the explanation.

Edited by Rami
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...